CVE-2026-9065

Deferred Deferred - Pending Action

Authenticated SQL Injection in SureCart Plugin

Publication date: 2026-05-20

Last updated on: 2026-05-20

Assigner: Tenable Network Security, Inc.

Description

SureCart version prior to 4.2.1 are vulnerable to authenticated SQL injection via multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'. The root cause is a flawed escaping bypass in the query builder ('wp-query-builder'). Values passed to the 'where()' method are only sanitized via '$wpdb->prepare()' when they do **not** contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot anywhere in the payload, an attacker completely bypasses the escaping logic and injects arbitrary SQL into the 'WHERE' clause, allowing full UNION-based extraction of the database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-20

Last Modified

2026-05-20

Generated

2026-06-10

AI Q&A

2026-05-20

EPSS Evaluated

2026-06-08

NVD

CVE-2026-9065

EUVD

EUVD-2026-31072

Affected Vendors & Products

Vendor	Product	Version / Range
surecart	surecart	to 4.2.1 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-9065 is an authenticated SQL injection vulnerability in SureCart versions prior to 4.2.1. It affects multiple parameters ('model_name', 'model_id', 'integration_id', 'provider') on the REST API endpoint '/surecart/v1/integrations/{id}'.

The root cause is a flaw in the query builder ('wp-query-builder') where values passed to the 'where()' method are only sanitized if they do not contain a dot ('.') or the WordPress table prefix ('wp_'). By including a dot in the payload, an attacker can bypass the escaping logic and inject arbitrary SQL into the 'WHERE' clause.

This allows attackers to perform full UNION-based extraction of the database.

Impact Analysis

This vulnerability allows authenticated attackers to inject arbitrary SQL queries, which can lead to unauthorized access to sensitive data stored in the database.

Attackers can extract data using UNION-based SQL injection, potentially exposing confidential information.

Because the vulnerability requires authentication, it may be exploited by users with some level of access, increasing the risk of insider threats or compromised accounts.

The high CVSSv4 score of 9.3 indicates a severe impact on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability involves authenticated SQL injection via specific parameters in the REST API endpoint '/surecart/v1/integrations/{id}'. Detection would typically involve monitoring or testing these parameters ('model_name', 'model_id', 'integration_id', 'provider') for SQL injection attempts.

Since the vulnerability requires authentication and targets a REST API endpoint, detection can be done by sending crafted requests to the endpoint with payloads containing dots ('.') in these parameters to see if the system behaves unexpectedly or returns SQL errors.

Use curl or similar tools to send authenticated requests to the endpoint with payloads containing dots in the parameters, for example:
curl -X GET 'https://yourdomain.com/surecart/v1/integrations/1' -H 'Authorization: Bearer <token>' -d 'model_name=1.1'
Look for SQL error messages or unusual responses indicating injection.

Additionally, monitoring logs for unusual or malformed requests to this endpoint or unexpected database errors can help detect exploitation attempts.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade SureCart to version 4.2.1 or later, where this vulnerability has been fixed.

Since the vulnerability requires authenticated access, ensure that access to the REST API endpoint '/surecart/v1/integrations/{id}' is restricted to trusted users only.

If upgrading immediately is not possible, consider implementing additional access controls or monitoring to detect and block suspicious requests targeting the vulnerable parameters.

Hi! I’m here to help you understand CVE-2026-9065. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-9065

Authenticated SQL Injection in SureCart Plugin

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart